tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rossen Raykov <Rossen.Ray...@CognicaseUSA.com>
Subject RE: [SECURITY] Apache Tomcat 4.x JSP source disclosurevulnerabili ty
Date Wed, 25 Sep 2002 13:57:08 GMT
The servlets are not vulnerable since their code is under WEB-INF and is
successfully protected from downloads.
All other interpreted application stuff, outside of WEB-INF, like JSP are
vulnerable since they can be downloaded as regular files but not be
processed by the corresponding engine.
That's why I believe Velocity should suffer from this bug in the same way
JSP is.
I didn't test Velocity but there is not any reason that it will be resistant
to this exposure.

Regards,
Rossen Raykov

> -----Original Message-----
> From: Kent Perrier [mailto:kperrier@ev1.net]
> Sent: Tuesday, September 24, 2002 6:59 PM
> To: Tomcat Users List
> Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
> disclosurevulnerability
> 
> 
> On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
> > OK, thanks. (The BugTraq search engine wasn't working when I checked
> > there.)
> > 
> > So it sounds pretty much like what I thought it was. I still don't
> > understand why Velocity wouldn't be vulnerable to this exploit.
> 
> It sounds to me like it should be.  From the bugtraq post, 
> all servlets
> and JSPs that run in a Tomcat instance are vulnerable.  Since Velocity
> runs under Tomcat, logically, it is vulnerable.  All other claims are
> illogical.
> 
> Kent
> 
> --
> To unsubscribe, e-mail:   
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-user-help@jakarta.apache.org>
> 

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message